Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® version 9.2.2 Global Traffic Management: Communicating with External Systems - 3
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


3

Communicating with External Systems


Introducing external system communication

The previous chapter described the essential tasks associated with configuring a Global Traffic Manager system. With these tasks completed, you have a system that is fully capable of handling name resolution requests, although it is likely that some additional configuration steps might be required to customize the Global Traffic Manager to meet the needs of your specific network.

However, before the Global Traffic Manager can operate as an integrated component within your network, you must first establish how the Global Traffic Manager can communicate with other external systems. An external system is any server with which the Global Traffic Manager must exchange information to perform its functions. Examples of external systems include:

  • Other BIG-IP products, such as Local Traffic Managers, Link Controllers, or Global Traffic Managers
  • Third-party load balancing servers
  • Third-party hosts

In general there are three different methods of establishing communications with external systems. You can:

  • Add an initial Global Traffic Manager (the first Global Traffic Manager that you install on the network)
  • Add subsequent Global Traffic Managers
  • Add third-party servers

Communicating with BIG-IP systems

When the Global Traffic Manager communicates with other BIG-IP systems, such as Local Traffic Managers or Link Controllers, it uses a proprietary protocol called iQuery to send and receive information. If the Global Traffic Manager is communicating with a BIG-IP system, it uses a software utility called big3d to handle the information traffic. If the Global Traffic Manager is instead talking with another Global Traffic Manager, it uses a different utility, called gtmd, which is designed for that purpose. For more details on how the Global Traffic Manager uses SNMP, see Appendix A, Working with the big3d Agent .

The Global Traffic Manager can communicate with older BIG-IP products; however, all products must receive an updated big3d utility. Consequently, part of the process when establishing communications between the Global Traffic Manager and other BIG-IP products is to open ports 22 and port 4353 between the two systems. Port 22 allows the Global Traffic Manager to copy the newest version of the big3d utility to existing systems, while iQuery requires the port 4353 for its normal communications.

Table 3.1 lists the requirements for each communication component between the Global Traffic Manager and other BIG-IP systems.

Table 3.1 Requirements for communication components (BIG-IP).
Communication Component
Requirements
Ports
Port 22, for secure file copying of entities like big3d.
Port 4353, for iQuery communication.
Utilities
big3d, for Global Traffic Manager to BIG-IP system communication.
Protocols
iQuery

Establishing communications between the Global Traffic Manager and other external systems

The steps you follow to establish communications between a Global Traffic Manager and other systems on your network are different, depending on whether the Global Traffic Manager is the first Global Traffic Manager that you are adding to your network, or a subsequent system.

To establish communications between the initial Global Traffic Manager and other systems, you must complete the following tasks:

  • Add BIG-IP systems to the Global Traffic Manager
  • Secure communications between the systems
  • Add virtual servers to the Global Traffic Manager

Adding BIG-IP systems to the Global Traffic Manager

The following steps outline how to add a BIG-IP system to the Global Traffic Manager through the Configuration utility. For more information on adding BIG-IP systems and other servers, see Chapter 5, Defining the Physical Network .

To add a BIG-IP system to the Global Traffic Manager

  1. On the Main tab of the navigation pane, expand Global Traffic and then click Servers.
    The main screen for servers opens.
  2. Click the Create button.
    The New Server screen opens.
  3. In the Name box, type a name that identifies the BIG-IP system.
  4. From the Product list, select BIG-IP System (Single).
    Global Traffic Managers, Local Traffic Managers, and Link Controllers all fall under the BIG-IP product family. Any time you add one of these systems as a server you use the same criteria:
    • If the system is a primary system, select BIG-IP System (Single).
    • If the system is part of a redundant system, select BIG-IP System (Redundant).
  5. For the Address List setting, add the IP address of the server.
    To add the IP address, type the address in the Address box, and then click Add.
    You can add more than one address to any given server, depending on how that server interacts with the rest of your network. For example, if the current Global Traffic Manager is part of a redundant system, you would add the IP addresses of the primary and backup systems.
  6. From the Data Center list, select a data center to which the BIG-IP system belongs.
    A server must belong to a data center. See Chapter 5, Defining the Physical Network for additional information.
  7. Configure the remaining server settings, including the virtual servers managed by the BIG-IP system.
    For additional assistance on these settings, see the online help.
  8. Click the Create button to create the new server.

Securing communications

In order for the Global Traffic Manager to communicate with another BIG-IP system, two criteria must be met:

  • The Global Traffic Manager must be able to authenticate with the BIG-IP system
  • The BIG-IP system must be able to authenticate with the Global Traffic Manager

To meet these two criteria, the Global Traffic Manager employs SSL certificate authentication. This type of authentication involves a SSL certificate, along with a corresponding key. When the Global Traffic Manager needs to communicate with another BIG-IP system, that system first informs the Global Traffic Manager that it must authenticate using a specific SSL certificate.

In this type of authentication scenario, there are two roles: a client role and a server role. Each role must complete the authentication process; it is not enough, for example, for a client, such as the Global Traffic Manager, to authenticate itself to a server, such as a Local Traffic Manager. That external server must also authenticate its role with the client as well. This configuration ensures that both systems can trust each other's information. It is important to note that this type of authentication occurs on a per-role basis. If, in another exchange of information, the Global Traffic Manager fills a server role, then it must be able to authenticate itself as a server. The authentication offered when it filled the client role is no longer sufficient.

Acquiring SSL certificates through scripts (all product versions)

For all versions of Global Traffic Manager and Local Traffic Manager, you can acquire SSL certificates through the use of the big3d_install and gtm_add scripts. If the Global Traffic Manager is the first Global Traffic Manager that you are installing, you use the big3d_install script to specify the IP addresses of any Local Traffic Managers with which the Global Traffic Manager must communicate. If the Global Traffic Manager is a subsequent unit (a Global Traffic Manager that will belong to a synchronization group that includes other Global Traffic Managers that you have already integrated into your network infrastructure), then you use the gtm_add script. This script acquires the configuration files of an already-configured Global Traffic Manager, which includes the SSL certificates of external systems.

Note

Information on using the gtm_add script is available in Configuring subsequent Global Traffic Managers .

Through the big3d_install script, you specify the IP addresses of any Local Traffic Managers with which the Global Traffic Manager must communicate. This script then accomplishes two tasks:

  • It adds the SSL certificate to the client.crt file of the Local Traffic Manager.
  • It acquires the SSL certificate of the Local Traffic Manager, and adds that it to the server.crt file for the Global Traffic Manager.
  • It installs the big3d utility on the ssytem.

After the big3d_install script completes these tasks, the Global Traffic Manager and the specified Local Traffic Managers can exchange information. The Global Traffic Manager is authorized to fill the client role in the exchange, while the Local Traffic Manager is authorized to fill the server role.

Note

You must run the big3d_install script for the Global Traffic Manager to communicate with other BIG-IP systems.

To run the big3d_install script

  1. Log into the system that hosts the Global Traffic Manager.

  2. At the command prompt, type the following:
  3. big3d_install [IP address]...

    Note: You can supply multiple IP addresses when running the big3d_install script. In this situation, you separate each IP address with a space.

  4. Press the Enter key to run the script.
    As the script completes each configuration task, it prompts you for a password that allows it to access the Local Traffic Manager and update the SSL certificates. This prompt can appear several times.

Acquiring SSL certificates using the Configuration utility
(product version 9.0 or later)

If the SSL certificate you want resides on a BIG-IP system version 9.0 or later, you can use the Configuration utility to export the SSL certificate and then import it into the Global Traffic Manager.

Exporting SSL certificates

If the BIG-IP system is version 9.0 or later, you can export the SSL certificate and then add to the Global Traffic Manager.

To export a SSL certificate

  1. On the Main tab of the navigation pane, expand System and click Device Certificates.
    The Device Certificate screen opens.
  2. Click the Export button.
    The export screen appears.
  3. Determine if you want to copy the certificate or export it to a file:
    • If you want to copy the certificate, select the contents of the Certificate Text box and copy it.
    • If you want to export the certificate to a file, click the Download server.crt button. A dialog box opens that allows you to save the certificate to the location of your choice.
Importing SSL certificates

When you incorporate a Global Traffic Manager into your network, you must configure it with the appropriate SSL certificates of the other systems with which the Global Traffic Manager will communicate. If the external system fulfills the role of a server in its communications with the Global Traffic Manager, you must add its SSL certificate to the Trusted Server Certificates section of the Configuration utility.

To import a SSL certificate as a client

  1. On the Main tab of the navigation pane, expand System and click Device Certificates.
    The Device Certificate screen opens.
  2. On the menu bar, click Trusted Device Certificates.
    The Trusted Device Certificates screen opens.
  3. Click the Import button.
    The import certificate screen opens.
  4. From the Import Type box, select Certificate.
  5. Determine if you want to paste the certificate or upload it as a file:
    • If you exported the certificate through copying it from the external system, enable the Paste Text option.
      A box appears in which you can paste the certificate.
    • If you saved the certificate as a file, enable the Upload File option. You can then either type the path to the file manually, or use the Browse button to navigate to the file's location.

To import a SSL certificate as a server

  1. On the Main tab of the navigation pane, expand Global Traffic and click Servers.
    The main server screen opens.
  2. On the menu bar, click Trusted Server Certificates.
    The Trusted Server Certificates screen opens.
  3. Click the Import button.
    The import certificate screen opens.
  4. From the Import Method list, determine if you want to replace the existing certificate file, or append the certificate to the existing file.
    • Note: You can only upload a certificate file if you are replacing the existing file. You cannot upload a file if you want to append the certificate to an existing file.
  5. If you chose to replace the existing certificate file, select whether you want to paste the certificate or upload it as a file.
    • If you exported the certificate through copying it from the external system, enable the Paste Text option.
      A box appears in which you can paste the certificate.
    • If you saved the certificate as a file, enable the Upload File option. You can then either type the path to the file manually, or use the Browse button to navigate to the file's location.

Adding virtual servers to the BIG-IP system

Before the Global Traffic Manager can load balance requests to a new server, you must add virtual servers that the new server manages. You can add virtual servers using two methods: manually, or automatically.

Adding virtual servers manually

You can use the Configuration utility to add a virtual server manually to the Global Traffic Manager. This task is helpful when you have only a select number of virtual servers that you would like to include with your Global Traffic Manager configuration.

To add a virtual server manually

  1. On the Main tab of the navigation pane, expand Global Traffic and click Servers.
    The main screen for servers opens.
  2. Click the name of the server to which you want to add virtual servers.
    The properties screen for that server appears.
  3. On the menu bar, click Virtual Servers.
    The virtual servers screen opens.
  4. From the Virtual Server Discovery list, select Disabled.
  5. Click the Update button to implement this change.
  6. Click the Add button to begin adding a new virtual server.
    The new virtual server screen opens.
  7. Add the virtual server, using the settings on this screen.
    For more information on these settings, see the online help.
  8. Click the Create button to save the new virtual server.

For more information, see Chapter 5, Defining the Physical Network .

Adding virtual servers automatically

The Global Traffic Manager includes a feature, called auto-discovery, with which you can add virtual servers automatically to a given server. To add virtual servers using this method, see Chapter 12, Discovering Resources through Auto-Discovery .

Configuring subsequent Global Traffic Managers

If you are integrating multiple Global Traffic Managers within your network, you do not need to use the big3d_install script for each one. Instead, you can use the gtm_add script. This script accomplishes a single task: it acquires the configuration files of another Global Traffic Manager on your network.

The gtm_add script is very important, especially if you want the Global Traffic Manager to be part of an existing synchronization group. As described in Chapter 11, Synchronizing Global Traffic Managers , synchronization works by having each Global Traffic Manager check to ensure that it has the latest configuration files and, if not, to acquire the latest files. This has a potential drawback when you install a new Global Traffic Manager into your network, because the new system has the most recent files (based on the timestamps) but has yet to be configured. As a result, there is a risk that the unconfigured files of the new Global Traffic Manager could override the configurations of your existing Global Traffic Managers.

The gtm_add script circumvents this issue. With this script, you specify the IP address of an existing Global Traffic Manager. The script then access that system and copies its configuration files to the new Global Traffic Manager. The new system can then be incorporated into the synchronization group without adversely affecting it.

The gtm_add script acquires all configuration files, including SSL certificates. As a result, it is ideal for acquiring SSL certificates for a new Global Traffic Manager.

To configure subsequent Global Traffic Managers

  1. Log into the system that hosts the Global Traffic Manager.
  2. At the command prompt, type the following:

gtm_add <IP address of existing Global Traffic Manager>

The script logs into the specified Global Traffic Manager and acquires its configuration files, including relevant SSL certificates. You can then add the Global Traffic Manager to the appropriate synchronization group.

Communicating with third-party systems

When the Global Traffic Manager communicates with third-party systems, whether that system is a load balancing server or a host, it can use SNMP to send and receive information. For details on how the Global Traffic Manager uses SNMP, see Appendix B, Working with SNMP .

Table 3.2 lists the requirements for each communication component between the big3d agent and other external systems.

Table 3.2 Requirements for communication components (third-party systems).
Communication Component
Requirements
Ports
Port 161
Protocols
SNMP

Communications between the Global Traffic Manager and third-party systems involves completing the following tasks:

  • Adding the external system to the Global Traffic Manager
  • Adding virtual servers from the third-party system to the Global Traffic Manager

Adding third-party systems to the Global Traffic Manager

The following procedure guides you through adding third-party systems to the Global Traffic Manager. Third-party systems are any load-balancing or host server that is not a part of the BIG-IP product family.

To add a third-party system to the Global Traffic Manager

  1. On the Main tab of the navigation pane, click Servers.
    The main screen for servers opens.
  2. Click the Create button.
    The New Server screen opens.
  3. In the Name box, type a name that identifies the server.
  4. From the Product list, select the appropriate server.
    • Note: The type of server you select from the Product list determines the MIB the Global Traffic Manager uses to interact with the server. We recommend that you be as specific as possible when selecting a server from the Product list.
  5. For Address List, add the IP address of the server.
    To add the IP address, type the address in the Address box, and then click Add. You can add more than one address to any given server, depending on how that server interacts with the rest of your network.
  6. From the Data Center list, select a data center to which the server belongs.
    A server must belong to a data center.
  7. Configure the remaining server settings.
    For additional assistance on these settings, please see the online help.
  8. Click the Create button to create the new server.

For more information, see Chapter 5, Defining the Physical Network .

Adding virtual servers from third-party systems

The following procedure guides you through adding virtual servers that a given third-party system manages to the Global Traffic Manager.

To add virtual servers from third-party systems to the Global Traffic Manager

  1. On the Main tab of the navigation pane, click Servers.
    The main screen for servers opens.
  2. Click the name of the server to which you want to add virtual servers.
    The properties screen for that server appears.
  3. On the menu bar, click Virtual Servers.
    The virtual servers screen opens.
  4. From the Virtual Server Discovery list, select Disabled.
  5. Click the Update button to implement this change.
  6. Click the Add button to begin adding a new virtual server.
    The new virtual server screen opens.
  7. In the Virtual Server List option, supply the appropriate information for the virtual servers. and then click the Add button to add the virtual server to the server.
    For more information on these options, see the online help.
  8. Click the Create button to save the new virtual server.

For more information, see Chapter 5, Defining the Physical Network .




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)